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Progress in the behavioral analysis of software product lines at the family level benefits from further 
development of the underlying semantical theory. Here, we propose a behavioral equivalence for 
feature transition systems (FTS) generalizing branching bisimulation for labeled transition systems 
(LTS). We prove that branching feature bisimulation for an FTS of a family of products coincides 
with branching bisimulation for the LTS projection of each the individual products. For a restricted 
notion of coherent branching feature bisimulation we furthermore present a minimization algorithm 
and show its correctness. Although the minimization problem for coherent branching feature bisim¬ 
ulation is shown to be intractable, application of the algorithm in the setting of a small case study 
results in a significant speed-up of model checking of behavioral properties. 

1 Introduction 

Notions of behavioral equivalence, like bisimulation, play an important role in the analysis of large 
systems in general and thus of (software) product lines in particular. Abstractions based on behavioral 
equivalences compress, via abstraction operations and minimization algorithms, a model’s state space 
prior to verification. Subsequently, verification can be done in less time, using less memory. 

Compared to single system verification, SPLE adds variability as yet another dimension to the com¬ 
plexity of behavioral analysis. In general, the number of possible products of a product line is exponential 
in the number of features. This calls for dedicated modeling and analysis techniques that allow to specify 
and reason about an entire product line at once. In this paper we consider the model of feature transition 
systems GS which facilitates efficient family-based verification. Dedicated techniques generally use 
variability knowledge about valid feature configurations to deduce results for products from a family 
model, as opposed to enumerative product-based verification, in which every product is examined indi¬ 
vidually. For example, in [Q behavioral pre-orders of FTS arc given with respect to specific products to 
define abstractions based on simulation quotients that preserve LTL properties. We refer to lfl9ll for an 
overview of verification strategies in SPLE and the trade-off of product-based vs. family-based analysis. 

In If3l4l we applied tailored property preserving reductions to a product line modeled with mCRL2 HI 
and we verified by means of model checking a number of behavioral properties of the product line. The 
mCRL2 toolset provides specific support for reduction modulo branching bisimulation fl4l . This led 
us to investigate a feature-oriented notion of branching bisimulation inspired by the research reported 
in (TJ (which focuses on a notion of simulation). In this paper, we propose a definition of what is 
coined branching feature bisimulation, extending the definition in ltl4l , and we seek to adapt the efficient 
algorithm of (T5l to compute, given an FTS, a minimal FTS that is branching feature bisimilar. 

In our pursuit to transfer the results of Q to the case of branching bisimulation, a number of issues 
arises due to the presence of feature expressions, though. One such issue for FTS is that minimization in 
the number of states is not the same as minimization in the number of transitions, a situation that does not 
occur with LTS. Our effort here is to reduce in the number of states. In order to make our minimization 
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algorithm work, we restrict to so-called coherent rather than arbitrary branching feature bisimulation 
relations. We will prove that our algorithm reduces an FTS § to a minimal FTS S, m „ for which there 
exists a coherent branching feature bisimulation relation for § and Moreover, no smaller FTS S' 
exists which is also coherent branching feature bisimilar to §. However, as we will argue by a reduction of 
graph coloring, the minimization problem is NP-complete for coherent branching feature bisimulations 
(and we suspect this is the case for branching feature bisimulation as well). Still, as an evaluation of the 
approach for a relatively small toy example illustrates, overall a substantial reduction in computation time 
is achieved for bisimulation-enhanced family-based analysis as compared to enumerative product-based 
analysis. In particular, for properties involving a limited number of features, verification time using the 
family FTS is only a third to a quarter of the time needed to verify all product LTS. 

Behavioral equivalences also form the basis of conformance notions as used for model elaboration by 
iterative refinement of partial behavioral models. In SPLE, this allows to relate fully configured product 
behavior to family models with optional behavior reflecting product variability. Examples are approaches 
based on process algebra lf20ll and on modal transition systems (MTS) lfTll2llT0l . In lf20l . a so-called vari¬ 
ant process algebra is introduced, which allows to model family behavior that subsumes the behavior 
of all possible product variants. Special-purpose bisimulation relations then allow to compare variants 
among each other and against the family. In SPLE, MTS are one of the models used to specify family 
behavior encompassing all possible product behavior, represented by those LTS that are implementations 
of the MTS (obtained by refinement of admissible behavior). In iflOl . weak and strong refinement for 
MTS as defined in IT6l (based on weak and strong bisimulation) are shown to be inadequate for applica¬ 
tions in SPLE (mainly due to the lack of support for unobservable actions and for preserving branching 
behavior, respectively) and a novel notion of refinement is introduced preserving the branching structure. 
It moreover preserves properties expressed in 3-valued weak /r-calculus. However, its definition is not 
operational and algorithms for conformance checking conformance are thus infeasable. 

The paper outline is as follows. Building on definitions and an algorithm for branching bisimulation 
of LTS reviewed in Section [2] we introduce in Section [3] the notion of branching feature bisimulation 
and show its soundness for branching bisimulation with respect to all products. The algorithm for min¬ 
imizing modulo coherent branching feature bisimulation is given in Section [4] which also provides an 
NP-completeness proof for the minimization problem. A validation of the approach, based on a toy 
example of a product line of coffee/soup vending machines is reported in Section [5] Finally, Section [6] 
briefly wraps up with concluding remarks and future work. 


2 Branching bisimulation for labeled transition systems 

Strong bisimulation is a cornerstone of the theory of LTS ifTTl . but is often too fine a behavioral equiv¬ 
alence for verification purposes. Application of its minimization algorithm typically reduces the system 
under verification only in a limited way. Having this in mind, various weaker notions have been studied 
in the literature ['ll [ 12]. In the context of model checking, branching bisimulation as proposed for LTS 
by Van Glabbeek & Weijland enjoys a number of appealing properties fl3l . We recall and illustrate 
its definition, and discuss the outline of a minimization algorithm that returns the smallest LTS that is 
branching bisimilar to a given one. To this end, we fix an alphabet of actions A, distinguish a symbol 
T ^ A, referred to as the silent action, and let A T = A U {t}. 

Definition 1. A labeled transition system is a triple § = ( S , —>, s *) with set of states S, transition relation 
—>• C S x A z x S, and initial state s * £ S. 
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(a) For s,s' £ S, we write s ^ s' if 3nzLs - o • • -s n : so = s A (Vi, 1 ^ i ^ n: A 5,) = s'. 

(b) A symmetric relation R C .S’ x S is called a branching bisimulation relation if Vs, s', t £ S', a £ A T 
such that R(s,t) and 5 A- 5 ', it holds that R(s,t), R(s',t') and t t —> t' for some t,t' £ S. 

(c) Two states s,t ofS are called branching bisimilar if R(s,t) for some branching bisimulation rela¬ 
tion R. Notation s t. 


Note the notation t —4 t' used in part (b) of this definition. Following [14), we have t —4 t' if either 
t A t' or a = T and t = t', an elegant trick to allow the transition s A s' to be matched by t = t = t', i.e. 
by no transition for t in case R(s',t). 

In FigureQ]at the left-hand side, so and to are not branching bisimilar: Clearly state s\ is not branching 
bisimilar to state to since si has no ^-transition. But then, the transition t 0 A h cannot be matched by 
the transition sequence so =>• si A so because the intermediate state si cannot be related to state to, 
as specifically required by the definition. However, for uo and vo at the right-hand side, the transition 
vo A vi can be matched by uq => u\ A it4, since in this case vo and it\ are branching bisimilar. It is 
noted that no and vq, but also sq and to, are weakly bisimilar in the sense of Milner lUTl . 



Figure 1: Two non-branching bisimilar states and two branching bisimilar states 

An efficient minimization algorithm for branching bisimulation is due to Groote & Vaandrager lfT5l . 
based on the partition refinement algorithm of Paige & Tarjan lfl8l . It involves the notions of a partition 
of the set of states, and of a splitter: Consider a finite LTS § = (S, —> , 5 *) over the action set A r . 

• A partition of S is a collection “B = { B, | i € / } of subsets of 5 that disjointly covers S, i.e. |J (€/ R, = 
S, and BjCB j = 0 if// j, for all i,j £ I. The elements of a partition are referred to as blocks. 

• For a partition B, blocks B,B' £ B, and a £ A z we let pos a (B,B') = { s £ B \ 3s £ B3s' £ B': s => 
s A s' }, and neg a (B,B') = { s £ B \ Vs £ BVs’ £ B' : (5 =£- s) V (S A s') }. 

• For blocks B,B’ of a partition B, the block B' is called a splitter of B for an action cc £ A z if both 

pos a (B,B') f 0 and neg a (B,B') ± 0. 

A simplified version of the algorithm of lfT5l for minimization modulo branching bisimulation starts with 
the trivial partition B = {5} and iterates 

while splitter B' of block B £ B for a £ A T exists do B := (T>\{5}) U {pos a (B,B'), neg a {B,B')} end 

Thus, starting from the trivial partition {S'}, having the complete set of states S as a single block, we keep 
refining the partition based on a splitter. Clearly, the algorithm terminates for a finite LTS in at most |S| 
many steps. We refer to lfl5l for a proof of the following result. 
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Theorem 2. Assume 7> m - ln is the partition obtained upon termination after applying the algorithm to the 
LTS §=(£,—)•, 5*). Define the LTS = (23B*) letting B A, m -„ B' if there exist s G B, 
V G B' such that s —> s' for B.B' G 23, O' G 71 T with B A B' or a f X, and by choosing B* such f/iaf 
5* G B*. Then S ;mn is the smallest LTS that is branching bisimilar to S. □ 

In the simplified algorithm sketched above, major part of the computation is spent on unfolding of the 
relation . The algorithm of fl5l reduces this by eliminating T-cycles and by keeping track, per block, 
of so-called bottom states. The complexity of the Groote & Vaandrager algorithm is 0(m\ogm+m ■n ), 
with n the number of states and m the number of transitions. Typically, for an LTS m <C n 2 . It is known 
that branching bisimulation preserves the fragment of the modal p -calculus consisting of CTL* minus 
the next operator J9J- Therefore, exploiting this fact in practical situations, significant reduction of the 
state space and corresponding speed-up of subsequent verification can be obtained by applying hiding of 
action followed by the minimization algorithm for branching bisimulation. 

In the sequel of this paper, we seek to apply the idea of branching bisimulation (i.e. allowing silent 
moves through bisimulation equivalent states but through no other) and its minimization techniques to 
the setting of FTS, where not only actions but also feature expressions decorate the transitions. 

3 Branching bisimulation for feature transition systems 

We fix a finite non-empty set 3“ of features, a subset 7 C2 ? of products, and again a set A T including the 
silent action t. We let B(3“) denote the set of boolean expressions over T. We refer to elements of IB(T) 
as feature expressions. For a product P G CP, we use %(P) to denote its characteristic formula. The notion 
of a feature transition system (FTS) was proposed in 0. 

Definition 3. A feature transition system (FTS) S is a triple S = (S, 6,s *), with S the set of states, 
6 : S x A t x S —^ 18(3“) the transition constraint function, and s t G S the initial state. 

For states s,s' G S, an action a G A z and a satisfiable feature expression y/ G B(3“), we write s fffi f jf 
6(s, a,s') = yr. We say that a product P G 7 satisfies a feature expression <p G B(3“) if (p is valid when 
the boolean variables corresponding to the features of P are assigned the value true and those not in P 
the value false, denoted by P |= <p. The equivalence relation on B(3~) is given by (p y/ iff VP G 7: 
P |= (p <A> P 1= y/. We let B(3 r ) = B(3')/~y. For an FTS S = (S, 6 , s *), we define the reachability 
function p : S —> B(3~) for S to be such that 

VP G 7: P\=p(s) iff 3n3s 0 ■■■s n 3a l --- a n 3 y/i ■ ■ ■ yr n : 

sq = 5* A (Vi, 1 < i ^ n : i s; A P |= y/j) A s n = s 

for all s G S. We note that, for the ease of presentation in this paper, the definition of an FTS above is 
slightly more abstract compared to the original definition given in ||6| . 

Next, we introduce a notion of branching feature bisimulation for FTS, generalizing the notion of 
branching bisimulation given by Definition Q] for LTS. 

Definition 4. Let S = (S, 9, s*) and S' = (S', 6', s') be two FTS. 

(a) For s,s' G S, and satisfiable p G B(3 r ), we write s 4* s' if 3h3sq, .. . ,s n 3r\\,... , Bn ■ S = S 0 A 

Vi, 1 f i f n: s- t _ \ Sj A s' = s n A p = Aisgi^ Vi- Furthermore, we write s \ s' in case 

cel ii/ , , 

- > s ora = zAs = s Ayr = true. 


s 
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(b) A symmetric relation R C S x IB ( A) x S is called a branching feature bisimulation relation for S if 
for s.t G S, (X G A t such that R(s, (p, t ) the so-called transfer condition holds: 

s s' implies 3n 3 h ,..., t n 31 [,..., t' n 3 r]i,..., t] n 3 91 ,..., 3 91 ,..., (p n 3 <p [,..., 9 ': 

Vi, 1 < i < n: t ^ U t[ AR(s, tpi-fi) /\R(s'. 9 /, t'f) and 

VP € IP: P\=(p AY => ^1= 

(c) Two states s.t G S are called branching feature bisimilar with respect to S ifR(s, true, t) for some 
branching feature bisimulation Rfor S. Notation s t. 

(d) A branching feature bisimulation relation Rfor S and S' is called coherent if R(s,(p,s') implies 
p(s) =A tp, for all s G S, (p G B(3“), and s' G S'. Notation S ~ c bf S'. 


The specific subset of coherent branching feature bisimulations will be used as a yardstick of comparison 
in the minimization algorithm discussed in Section [U Intuitively, the feature expression p(s) captures all 
products that can reach state s. Coherency requires that tp does not exclude part of these products. So 
the ‘products of s’ are not split by tp , but treated as a coherent set of products. 


Figure [2]depicts the general situation for the transfer condition where a transition 5 fff f j s matched 

by n transition sequences from t in total, viz. l => l\ V t\ to t =k- t n t' n . Moreover, for a 

product P for which state 5 admits the transition labelled a, i.e. a product satisfying the constraint (p 
derived from R as well as the feature expression 1 // derived from the transition, it is required that state t 
provides a related transition sequence labeled a for this product as well. Thus, for some i, \ f i f n. 
P meets t], and 1 thus can move from t to ?,• and t[, while P is included by the constraint tp ,• for the 
relation on s and q and by the constraint 9 / on s' and 



Figure 2: Transfer diagram for branching feature bisimilarity 

Figure [3] below shows an example of two FTS (without r-moves) at the left-hand side. At first sight 
the relation R = { (so,true,to), (s\,(pi,ti), (si- 92 A )> (sT,.inie.t 2 ) } may look like a branching feature 

b | ((p 1A l/Aj) V ((fh AI//2) 

bisimulation. However, a closer inspection of the transition t\ - 1 ->• reveals that this 

means that we need the formulas 9 , A ((91 A 91 ) V (92 A 92 )) => 9 , A true to hold for i = 1,2. However, 
this only holds when 91 A 92 => (91 BA 92 ); in that case R is indeed a branching feature bisimulation. 
Reversely, if a product meets 91 A 92 A 91 A -1 92 , there will be a transition for t\ for that product, but not 
for S 2 as shown by the two LTS at the right-hand side of Figure [3] It is clear that with a transition from 
state so to state S 2 but without a transition between states S 2 and 53 , on the one hand, and with a path from 
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to to ? 2 , on the other hand, the underlying LTS for the two FTS (and therefore the FTS themselves as we 
shall see) cannot be hi si mi lar. 



Figure 3: Bisimilar FTS assuming <Pi A (p 2 => (Vi O V 2 ) and non-bisimilar LTS 

For branching feature bisimulation we have a strict correspondence with branching bisimulation for all 
products using the notion of a projection of an FTS. The projection results in an LTS. 

Definition 5. Given an FTS § = {S, 8, s*) and a product P 6 7, the projection S p of § for the product P 

is the LTS S p = (S', —>p , s *), where s Ap s' if some if/ G B(T) exists such that s A^ s' and P |= i It, for 
s,s' G S and a G A z . 

We use s ~p t to denote that s and t are branching bisimilar states for the projected LTS Sp. 

Theorem 6. Let § be an FTS with states s and t. It holds that s —/,{■ t iff s ~p t for all P G 7. 

Proof Suppose R C S x E(‘J) x S is a branching feature bisimulation relation with R(s.fnie.t). Pick 
P G 7. Define Rp = { {s' f') \ 3(p: R(s', (p,t') AP |= (p }. We claim that Pp is a branching bisimulation 
relation with Rp{s,t). Clearly Rp is symmetric and R P {s,t), since R{s,true,t) and P |= true. In order to 
verify the transfer condition for Rp, suppose Rp{s r ,t') and s' Ap s". Pick, with appeal to the definitions 

of Rp and Sp, feature expressions <p, v such that (i) R(s'. (p,t') and P \= (p, and (ii) s' AA s" and P |= 1 //. 
Since R is a branching feature bisimulation, we can find fi, tj, rj,-, 1 ///. <p, and cp{, for i = I..... n, such that 

t' A U -AAL, (pi, ii), R{s", <p', t\) and P \= Vi <i< n Bi A Vi A (pi A (p' 


(alv/i) . n , 

«->• f, • ^Ht-a v a v. 


p t” and Rp(s”,t'f). Thus, Rp satisfies 


for i = 1,..., n. Choose i such that P \= r\i A Vi A V A (p[. Since t’ =L t, 

yv (CO 

and R{s", <pj,t'j), we have by definition of Sp and Rp that l' => i —>p t" 
the transfer condition, as was to be shown. 

To prove the reverse implication, pick for each P £ IP, a branching bisimulation relation Rp such 
that Rp(s,t). Define RCSx B(T) x Sby R = { {s', (p,t')\\/P G T: P \= (p <=pR P {s',t') }. We verify that 
R is a branching feature bisimulation. Clearly, R{s, true, t ). In order to check the transfer condition for R. 

suppose R{s',(p,t') and s' s". Then it holds, for all P G T with P |= (p. that Rp{s',t'). Moreover, 
for all P € P with P (= (//, we have s' Ap s”. Thus, for all P G IP with P \= (p A l/r, we can pick i P ,t' P 


and t]p, Vp such that P |= t] P A i//p, t 


/ 3k 


tp 


(«| Vp), 


4 t' P and Rp{s',tp) and Rp{s",t' P ). 

Suppose {PGT|P4 < PAt/r} = {Pi,...,P^}. Also, for / = 1,... ,k, let t[ and rj,, Vi be shorthand 
for i Pj ,t' P . and 1 ///>., respectively. Since Pj |= A {•'>'■ fi) and Rpfs",tj), it holds that P(4, (pi, tf) and 

P(.s - ", (pj, tj) for (pi, (pj G B(3 r ) such that xiPf) => (p,- and xiPf) => (pj. We conclude that, for i = 1,... ,k, it 

holds that t’ A t] AA*. ,R{ S ', , i t ) and R{s", (pj, tj ) while P |= (p A V => p \= Vi^n Bi A Vi A <P A (p', 

which verifies the transfer condition for R. □ 
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The theorem asserts the soundness of branching feature bisimulation for FTS with respect to branching 
bisimulation for the projected LTS for all products. In the sequel, we propose an algorithm for mini¬ 
mization of an FTS modulo branching feature bisimulation and compare, in a case study, verification of 
properties against the minimized FTS to verification of properties against the minimized product LTS. 


4 Minimization modulo coherent branching feature bisimulation 

When minimizing an FTS S we look for an FTS S' satisfying S S' and such that it is the smallest in 
‘size’. For branching bisimulation for LTS it is the case that a branching bisimilar LTS with the minimal 
number of states also has the minimal number of transitions (after removal of T-loops). Algorithms for 
branching bisimulation reduction make use of this fact by looking for the unique LTS with the minimal 
number of states. Unfortunately, this is not true for branching feature bisimulation, as is demonstrated 
in Figure 01 The FTS T and U arc both branching feature bisimilar to FTS S, and both have the minimal 
number of states. However, It has twice as many transitions as 7. 

§ o\true _ t| true _ altrue _ 

-*©- —*@ - >0 

T a I true _ a I true „ 

-*© > ©— 1 - *® 

Figure 4: Three branching feature bisimilar FTS 



We see that the property of feature bisimulation that allows to merge multiple transitions with the same 
label and different feature expressions into a single transition now hinders us, since it also allows to split 
transitions. To avoid this problem we restrict to coherent bisimulations (cf. Definition |4fl). Thus, we 
require that states of § can only be related to states of the reduced S' for (supersets of) their reachability 
set. Unfortunately, this recipe does not guarantee that a minimal FTS is found, as Figure [5] below shows, 
but among all coherent branching feature bisimilar FTS our algorithm is able to find the smallest one, 
see Theorem fl2l 



Figure 5: Minimal branching feature bisimilar vs. minimal coherent branching feature bisimilar 


In Figure [5] FTS 7 is branching feature bisimilar to FTS S, and has the minimal number of states and 
transitions. However, when restricting to coherent branching feature bisimulation relations, FTS ll is the 
smallest FTS that can be obtained from S such that S ~ c bf U. Note that the relation R with R(s 2 u f J\) 
and R(s 2 ,~'f,t 2 ) is not coherent, since p 0) = true does not imply / nor - f. We will adapt the reduction 
algorithm described in Section |2] for minimization modulo coherent branching feature bisimulation. 

Before describing the algorithm, we first show that the problem of coherent branching feature bisim¬ 
ulation minimization is NP-hard by reducing the chromatic number problem to it: given a graph, what 
is the minimum number of colors to color the nodes such that adjacent nodes have different colors? To 
verify the construction, we need an auxiliary result. 
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Lemma 7. Let cS = (.S'. 0. sq ) /;<? an FTS with states s and t. IfR(s, p (s)/\p (t), t)for a branching feature 
bisimulation relation R, then § S' with states s and t related to a single state of S'. 

Proof Let S' = (5". 6', s') with5' = (5 , \{i , ,t})U{r} for some r S, with 6'(u,a,v) = 6(u,a,v) for u,v £ 
S', u,v / r and 6'(u,a,r) = 0(u,a,s) V 0(u,a,t ) for u / r, 6'(r,a,v) = 9(s,a,v ) V 9(t,a,v), for v / r, and 
6'(r,a,r) = Vq, w e{s,t} 9(q,a,w), and finally with s', = s* if s* f s,t, and s' = r otherwise. Using that R 
is abranching feature bisimulation with R (s.p (s) A p(t).t), one constructs a coherent branching feature 
bisimulation R' such that R'(s,p(s),r) and R'(t,p(t),r). □ 

Next we set the stage for a reduction of graph coloring to coherent branching feature bisimulation min¬ 
imization. Consider an undirected graph 9 = (V,E) with nodes in V and edges in E. Let A = {rz}, 
3~ = { fv | v £ V } and IP = { P v \ v £ V }. The FTS Sg = (Sc, 9 q, si) of 9 is such that So = (sq, 52 } U 
{ s v | v £ V } for distinct states si and S 2 , 9(s\,a,v) = V Me v { /« I ( u , v ) 6 S } V/ v for all v £ V, and 
0(v,a,s 2 ) = f v , and finally such that 6(s,a,s') = false in all other cases. 

Theorem 8. Let §' G be the minimal FTS that is coherent branching feature bisimilar to the FTS S q given 
above. Then the number of states in §' G is equal to the chromatic number of 5 plus 2. 

Proof Let Y be a set of colors. Suppose y: V —> Y is a coloring of 9 using all colors. Then the FTS 
({si,s 2 }ur, 6 r , si), where 6 r (s u a,C) = V r («)=c 9(si,a,s u ), 0 y (C,a,s 2 ) = V y («)=c /« is coherent bran¬ 
ching feature bisimilar to S ( ; via the relation R such that R(sj.true.Sj) for 1=1,2, and R(s u ,p(s u ),y(u)). 

Reversely, an FTS S' that is coherent branching feature bisimilar to Sc can only identify states s u ,s v 
for «,v £ V. Hence such an FTS induces a coloring for S'- Pick for each state s v a single s' £ S' such 
that R(s v ,(p,s') for a coherent branching feature bisimulation R relating S and S'. If states s u and s v 
correspond to the same state of S', there can be no edge between u and v in 9- For if (u. v) is an edge 
in 9, we have j| A k A s 2 and ii A v ^ in the projection of §q for the product p u , but si A u -/» 
and si A v A s 2 in the projection of Sg for the product p v . 

It follows that the FTS S^ that is minimal coherent branching feature bisimilar to Sg corresponds to a 
minimal coloring of 9- Moreover, the number of states different from the images of S] and s 2 corresponds 
to the number of colors needed. □ 

Note how, in the proof above, the coherence condition ‘if R(s, <p.s') then p (s) => <p’ enforces that for the 
minimal FTS S' G the products that can reach .v in Sg are not split over multiple states in §' G . From the 
theorem we obtain the following result. 

Corollary 9. Constructing a minimal coherent branching feature bisimilar FTS is NP-complete. □ 

Before we provide an algorithm for minimization of an FTS modulo coherent branching feature bisimu¬ 
lation, we slightly generalize the notion of a partition as used in Section [2j to allow a state to belong to 
separate groups of products. 

A collection 23 = { B\ \ i £ I } of non-empty subsets of a set S is called a semi-partition of S if 
(i) U i6/ Bi = S, an d (ii) for / f i: Bj\B t f 0. Thus, T> covers S and no Bj is strictly contained in a B,. 
Also, for a semi-partition its elements are referred to as blocks. We say that a semi-partition 23' is a 
refinement of a semi-partition 23 if every block of 23' is a subset of a block of 23. Likewise, we say that 
23 is coarser than 23'. A semi-partition 23 of S induces a relation on S (not necessarily an equivalence 
relation), where two elements of S are related iff they are included in the same block of 23. 
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Given an FTS S = (S, 6, s *), we first do some preprocessing. We eliminate unreachable states and 
strengthen the transition constraint with the reachability condition for its source state: 

S := { 5 € S | p(s) 'fiy false } and d(s,a,s') := d(s,a,s') Ap(s) 

We define the set Af of so-called featured labels by Af = { (oc,yr) | 3s,t3a\ 9(s,oc,t) = yr A yr rfiy 
false }. For a semi-partition 23 of 5, B. B' G 23 and featured label (a, yr) G Aj we let 

non-neg^(B,B') = { 5 G B \ MP G IP, P |= p(s) A yr: 3n3so, ... ,s n € 5 3/ G B'3yt \,..., yr n , yr': 

5o = s A (Vi, 1 ^ ^ 5,- AF |= yfj) As„ \ 5 ' AP |= y/ }, 

and define its subset poS( av} (B,B') to include all 5 € non-neg ll/Aj/! lB. B') for which 1 // =>■ p(.v) and 

s n —-—> s' for ,v„ G B, s’ G fi' as above. Moreover, we define ^{B,B') = B \ non-neg( a y^B.B’). 
We know for sure that two states 5 and t of a block B arc behaviorally different, if s G pos (l/ l(/ J f/t. B') and 
t G nci,' !c l(/: (B,B'). Therefore, we say that B' is a splitter of B with respect to (a, 1 //) if B f B' or a/t, 
and pos, a , in (B.B').neg ia ^,(B.B') f 0 (meaning there is at least one state in the pos-set that must do 
an actual T-step to reach B'). If 23 is a semi-partition of S and B' is a splitter of B with respect to (a, yr), 
then the semi-partition 23' is obtained from 23 by replacing block B by B\ = non-neg, a ^.(B.B 1 ) and 
B 2 = B\pos (aAI/j (B. B'). However, in the case that B\ or /F is a subset of another block in the partition 
(apart from 5), it is not added to ensure that 23' is a semi-partition. 

The minimization algorithm starts from the trivial semi-partition {.S’}, and keeps refining the semi¬ 
partition until no splitters arc left. This results in the coarsest semi-partition, but still a block may 
be covered completely by other blocks. Therefore, as post-processing, we remove as many blocks as 
possible from the semi-partition, while preserving the semi-partition properties, to find the smallest semi¬ 
partition (e.g. using an algorithm for the minimum set cover problem). 

23:= {5}: 

while a splitter B' for a block B with respect to a featured label (a, yr) exists do 

if non-neg( a ^(B,B r ) C B" for no B" G 23 then 23 := 23 U {non-neg( a ^(B.B 1 )} end; 
if B\poS( a y)(B,B') C B" for no B" G 23 then 23 := 23 U {B\poS( a ^{B,B')} end 
23 := smallest subset of 23 covering S ; 

It is easy to see that the algorithm terminates: Note that after each iteration at least two states have been 
permanently split from each other. Since there arc less than |S| 2 possible pairs of states in S, termination 
will occur in at most |S| 2 iterations. In the theorem below, we call a semi-partition C a stable partition 
with respect to a block B ' if for no block B and for no featured label (a, yr), B' is a splitter of B with 
respect to (a. yr). The semi-partition C is itself called stable if C is stable with respect to all its blocks. 

Lemma 10. For an FTS S = (.S’. 0. s *), 23 obtained from the algorithm is the smallest stable semi¬ 
partition refining {S}. 

Proof We show by induction on the number of iterations of the algorithm that each stable partition 
refines the current semi-partition 23. Let C be a stable semi-partition. Clearly the statement holds initially, 
each semi-partition refines {S'}. Suppose C refines semi-partition 23 obtained after a number of iterations 
and suppose a splitter B' of a block B exists with respect to a featured label (a, yr). It suffices to show 
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that any block C of 6 is included in a block of 23', the semi-partition obtained by splitting B. Pick a block 
of 2> containing C. If this block is different from B , we are done. So, suppose C C B. We have to show 
thateitherC C.non-neg^ a ^(B,B’) orC C B\pos^ a v fB,B'). 

Suppose s,t E C with s E pos^ a B,B ') and t E neg^ a B,B '). We derive a contradiction. Pick a 

product P E CP such that P |= y/. Such a product exists by definition of Aj. Choose .v () . ... ,s n E B, s' E B', 

y/i ,..., y/„, y/' E E( J) such that .v () = 5, s,-_ 1 .v, for I EU U n, A, — \ 5 ', and moreover P |= y/j, for 

1 ^ ^ n, and P |= y/'. Let Co,... ,C n ,C’ be the blocks of C such that a E C, and 5 ' E C'. Note that C, C B, 

for 0 ^ i A: n, and C' C B'. Using the fact that C is stable we can construct a sequence to,..., t m E B, 

t| ip/ (a|<p') 

t E B , (pi,..., (p m ,(p E B(3“) such that to = U P- 1 - > P for 1 C i C m, t n - > t, and moreover 

P |= (pi for 1 C i C m, and P |= (p'. This contradicts t E neg i(/1(/) (B.B'), and proves the induction step. 
Finally, we observe that ¥>itself is a stable semi-partition that refines {S'}. □ 


Lemma 11. Let § = ( S, 0, 5*) be an FTS, and S' = (S', O', s() be an FTS such that S — c b] S' by a 
relation R. Then R defines a stable semi-partition G of S such that s rsjQ f iffBr E S': R(s,p(s),r) A 
R(t,p(t),r). 

Proof. We have to show that C is stable indeed. Suppose that there are blocks B.B' in C such that B' is 
a splitter of B with respect to a featured label (a,y/). This means there are states s and t in B such that 
5 E pos {a v) (B,B') and t E neg^ a ^(B,B'). We pick P E T such that P (= p(s) Ap(t) A y/. By definition 

of the pos-set there exist sq,...,s„ E B, s' e B'. yf\,... ,yr n ,yr’ E IB(T) such that .sp = 5, s,-\ — s, 
(cx| 

for 1 C i A n, s n ■ ■ > s', and moreover P \= i//,. for 1 A i A n, and P \= yr'. Since s n E B we have, 

by construction of S, both R(s„,p(s n ),r) and R(t,p(t),r) for suitable r E S'. Therefore, there exists a 
feature bisimulation relation R' on S such that R'(s n ,p(s n ) A p(t),t). Using the transfer condition of 
this relation we can construct a sequence to,... ,t m E B, t' E B ', <pi,..., %,,(p' E B(T) such that to = t, 

f,_i tj for 1 ^ i A m, t n )> t', and moreover P \= (pi for 1 ^ i A »i, and P |= <p'. This contradicts 
t E neg^ a y^(B,B'), and proves that C is stable. □ 

We are now in a position to prove the correctness of the minimization algorithm. 

Theorem 12. Assume that T> is the partition obtained upon termination after applying the algorithm to 
the FTS S = (S, 6, 5 *). Define the FTS S = (23, 0 ;m „, B*) by letting (i) 6 m i n (B , a,B') = \/{ 0(s,a,s') \ 
s E B. s' E B' } with B f B' or a f T, and (ii) by choosing B. such that 5* E B, . Then S is the smallest 
FTS that is coherent branching feature bisimilar to S. 

Proof. By Lemma [TO] we have that B is the smallest stable semi-partition refining {S}. It suffices 
to show, using Lemma [Tj that a coherent branching feature bisimulation for S and exists. Since, 
by Lemma fill we have that every coherent branching feature bisimulation relation from S to an FTS S' 
induces a stable semi-partition on {S’}, implying that S,„,„ is indeed minimal. □ 

Thus, given an FTS S, we continue to refine the trivial semi-partition until no more splitter can be found. 
Splitting a block is done cautiously: (i) it must eliminate a splitter and (ii) it must yield a semi-partition 
again. The final semi-partition that is reached induces an FTS Sthat is the smallest FTS that is coherent 
branching feature bisimilar to S. The next section reports on a small case study using this approach. 
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5 Experimental evaluation 

We extended the example SPL of a coffee vending machine described in JT3-3J with a soup component 
running in parallel. The complete SPL consists of 18 features and 118 products and the FTS modeling it 
contains 182 states and 691 transitions. The details of this SPL can be found in Appendix lAl Basically, 
each product contains the well-known beverage component and optionally a soup component, and allows 
the insertion of either euros or dollars (returned upon a cancel) in either of its components. The user 
chooses a beverage (sugared or not) among those offered (at least coffee, cappuccino only for euros) or 
else a type of soup (at least one among chicken, tomato, pea). The user must place a cup to get soup. A 
cup detector is optional (mandatory for dollars). When present, soup is only poured if a cup was placed, 
else soup may be spilled. Placing a cup may need to be repeated if not detected. A soup order may be 
canceled until a cup is detected. Optionally, a shared ringtone may ring after delivery (mandatory for 
cappuccino), after which the user takes a cup (with a drink or soup) and can again insert money in either 
component. Concrete features have an associated cost (zero for abstract features) and the total cost of a 
product, summing the costs of the features it includes, does not exceed the fixed upper bound of 35. 

We used the mCRL2 toolset to verify the 12 properties listed in Appendix lAl against this SPL, both 
product-by-product and by using the FTS-based family approach described in EMI, and both with and 
without branching (feature) bisimulation minimization. For the approach with bisimulation we applied 
branching feature bisimulation to the FTS, resulting in a reduced FTS, which we projected to obtain the 
reduced LTS for each product. The results are shown in Table [T] For the product-by-product approaches, 
generating the projections for all products is included in the computation time, and so is the time for 
bisimulation reduction in case of the approaches with bisimulation. To even out effects caused by other 
processes running whilst performing the experiments, all computation times are averaged over 5 runs. 

Regarding the product-by-product approach, performing bisimulation reduction for the product LTS 
reduces the computation time by about 8%. For property 2 (The SPL is deadlock-free), the computation 
time with bisimulation is significantly larger than for other properties. In this case abstraction does not 
reduce the LTS. A similar observation holds for properties 1 (If a coffee is ordered, it is eventually 
poured), 5a (If a beverage is ordered, then eventually it is canceled or a cup is taken) and 5b (If soup is 
ordered, then eventually it is canceled, a cup is taken or the customer has bad luck), which are false, but 
deemed true after applying bisimulation reduction. They state that something eventually happens, which 
is not true in reality since the two components are running in parallel, thus abstraction creates infinite 
loops that allow postponing that something indefinitely. Applying bisimulation reduction causes these 
loops to be abstracted from completely, making the properties true for the reduced system. However, 
standard tricks, like the explicit signaling of the end of a cycle, could be applied to alleviate this problem. 

Now consider the FTS-based family approach. Without applying bisimulation reduction, the total 
computation time increases by almost 50% with respect to the product-by-product approach. Hence, for 
this SPL, FTS-based verification with mCRL2 is not beneficial compared to regular enumerative veri¬ 
fication. However, if we apply bisimulation reduction, then the FTS-based computation times decrease 
by >70%. Only property 2 still needs more computation time than in the product-based approach (again 
because abstraction is not beneficial for the verification). Note that in case less actions arc involved in a 
property, it is possible to abstract from larger parts of the FTS, implying faster verification. This effect 
was much less in the product-by-product approach. Hence, the more local a property, the more beneficial 
it is to perform FTS-based family verification in combination with branching feature bisimulation reduc¬ 
tion using mCRL2. Obviously, this observation needs to be confirmed by experimenting with different 
SPL, but based on this example the techniques proposed in this paper look rather promising. 
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PROPER¬ 

TIES 

PRODUCT-BY-PRODUCT 

FTS-based FAMILY APPROACH 

WITHOUT BISIMULATION 

WITH BISIMULATION 

WITHOUT BISIMULATION 

WITH BISIMULATION 

TIME (s) 

RESULT 

TIME (s) 

RESULT 

TIME (s) 

RESULT 

TIME (s) 

RESULT 

1 

42.04 

FALSE 

38.18 

TRUE 

52.96 

FALSE 

13.60 

TRUE 

2 

41.78 

TRUE 

41.65 

TRUE 

53.86 

TRUE 

53.69 

TRUE 

3a 

42.32 

TRUE 

37.76 

TRUE 

70.57 

TRUE 

7.70 

TRUE 

3b 

42.01 

TRUE 

37.78 

TRUE 

59.96 

TRUE 

7.98 

TRUE 

4a 

40.62 

TRUE 

38.00 

TRUE 

24.18 

TRUE 

8.65 

TRUE 

4b 

40.20 

TRUE 

37.88 

TRUE 

20.78 

TRUE 

10.68 

TRUE 

5a 

42.38 

FALSE 

38.51 

TRUE 

66.08 

FALSE 

18.59 

TRUE 

5b 

42.34 

FALSE 

38.09 

TRUE 

69.95 

FALSE 

14.92 

TRUE 

6 

43.63 

TRUE 

39.17 

TRUE 

105.35 

TRUE 

29.72 

TRUE 

7a 

42.45 

TRUE 

38.19 

TRUE 

71.07 

TRUE 

13.84 

TRUE 

7b 

42.35 

TRUE 

38.04 

TRUE 

79.05 

TRUE 

9.48 

TRUE 

8 

42.82 

TRUE 

39.09 

TRUE 

80.69 

TRUE 

20.47 

TRUE 

TOT 

504.94 


462.34 


754.50 


209.32 



Table 1: Experimental evaluation results (time in seconds) 


6 Concluding remarks 

We have defined a novel notion of branching feature bisimilarity for FTS and an algorithm to minimize 
an FTS modulo coherent branching feature bisimulation. This complements and formalizes part of the 
feature-oriented modular verification approach of SPL with mCRF2 that we outlined in EH. An initial 
application of the minimization algorithm to a simplistic SPF promises significant verification speed-ups. 

It remains to establish the subset of the modal /n -calculus that is preserved by (coherent) branching 
feature bisimulation, i.e. what properties are respected by our reduction technique. It is known that 
branching bisimulation preserves modal fr -formula without the next operator (9J. Theorem[6]may be used 
to lift the result to branching feature bisimulation, if the property S \= (p iff Sp |= (p is to hold. We leave 
this to future work. It would also be interesting to see whether the minimization algorithm's complexity 
can be reduced, possibly by lifting some optimizations from the Groote & Vaandrager algorithm for LTS 
to our FTS setting, or split multiple blocks based on a single splitter. 

Finally, we plan to evaluate our modular verification approach on a more realistic SPL. By expanding 
the SPL of a coffee vending machine to examples growing in size, we may see if the exponential blow-up 
forecast by the NP-completeness result of Theorem[8]can be traced, in particular to observe at what point 
reduction time outweighs the gain of family-based verification. As noted by one of the reviewers, family- 
based verification approaches perform better on larger models (both in terms of states and variability), 
whereas reduction techniques are difficult to apply on real, industrial models. We hope that the idea, 
sketched in 0, to exploit the inherent modular structure of SPL to guide the abstraction, will prove 
fruitful in finding balance in this trade-off and help to come up with automated support to reduce a system 
given a property. For this it is useful to reconstruct the experiments reported in (7| and to compare the 
performance gain. Also a study of the relationship of the preorder proposed in 0 to the equivalences 
put forward here, is an interesting topic of research that may increase our understanding of the interplay 
between variability and internal behaviour. 
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A Example SPL 

Here we provide the details of the example SPL used for the experiments described in Section [5] It is an 

extension of the coffee vending machine described in H]-01 with a soup component running in parallel 

with the usual beverage component. It has the following list of functional requirements: 

• Each product contains a beverage component. Optionally, also a soup component is present. 

• Initially, either a euro must be inserted, exclusively for European products, or a dollar must be in¬ 
serted, exclusively for Canadian products. The money can be inserted in either of the components. 

• Optionally, money inserted in a component can be retrieved via a cancel button, after which money 
can be inserted in this component anew. 

• If money was inserted in the beverage component, the user has to choose whether (s)he wants 
sugar, by pressing one of two buttons, after which (s)he can select a beverage. 

• The choice of beverage (coffee, tea, cappuccino) varies, but coffee must be offered by all products 
whereas cappuccino may be offered solely by European products. 

• Optionally, a ringtone may be rung after delivering a beverage. However, a ringtone must be rung 
by all products offering cappuccino. 

• After the beverage is taken, money can be inserted again in the beverage component. 

• If money was inserted in the soup component, the user has to choose a type of soup (chicken, 
tomato, pea). The types of soup offered vary, but at least one type must be offered by all products 
with a soup component. 

• The soup component does not contain cups to serve the soup in. Hence, the user has to place a 
cup to pour the soup in. Optionally, a cup detector may be present in the soup component. It is 
required that all Canadian products with a soup component are equipped with a cup detector. 

• If cup detection is present, the chosen type of soup will only be delivered after a cup has been 
detected by the soup component. However, the cup detector may fail to detect an already placed 
cup, after which the user will have to place it again. If a cancel option is available, the user may 
cancel the order as long as no cup has been detected. 

• If cup detection is not present, the soup will be delivered immediately after a type of soup was 
chosen, regardless of whether a cup was placed. If no cup was placed there will be no soup to take. 

• Optionally, a ringtone (shared with the beverage component) may be rung after delivering soup. 

• If a cup was present, money can be inserted again in the soup component after the soup is taken. 

These yield the attributed feature model in Figure [6] and the behavioral models in Figures [7] and [8] 
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Figure 6: Feature model of family of coffee vending machines 


In the attributed feature model, mandatory (core) features are marked by a closed bullet, optional features 
by an open one. Exactly one of the features E and D is selected, while at least one of the features CS, PS 
and TS is selected. As to cross-tree constraints, features P and D exclude each other, feature P requires 
feature R , and the simultaneous selection of features D and SC requires feature U. The value of the cost 
attribute of the concrete features is put inside a small circle (i.e. cost(X) = 10). Finally, as an additional 
constraint, we require that the total costs of all selected features does not exceed the threshold 35. 



Figure 7: FTS of beverage component 
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The FTS of the beverage component contains 14 states and 23 transitions and that of the soup component 
contains 13 states and 28 transitions, for a total of 182 states and 691 transitions in parallel composition. 


bad luck / -iU 



As reported in Section[5] we used the mCRL2 toolset to verify 12 properties against this SPL. These 
properties are listed next, together with their formalization in the mCRL2 valiant of the modal /./-calculus. 

1. If a coffee is ordered, then eventually coffee is poured: [true* .coffee] (muX. [\pour_coffee]X) 

2. The SPL is deadlock-free: [true*] (true) true 

3a. A machine that accepts Euros does not accept Dollars: 

[true* .(ins ertBev (Euro) || insertSoup (Euro)).true * .(insertBev (Dollar) || insertSoup(Dollar))\false 
3b. A machine that accepts Dollars does not accept Euros: 

(true * ,(insertBev(Dollar) || insertSoup (Dollar)).true* .(insertBev (Euro) || insertSoup (Euro))] false 
4a. A cup can only be taken out of the beverage component after a beverage was ordered: 

[ (! coffee && ! tea && ! cappuccino) * . take_cup ] false 
4b. A cup can only be taken out of the soup component after soup was ordered: 

[ (! tomato && ! chicken && ! pea) * . take_soup] false 
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5a. If a beverage is ordered, then eventually the beverage is canceled or a cup is taken out of the bev¬ 
erage component: [true *. (coffee || tea || cappuccino)} (mu X. [(\cancelBev && \take_cup)]X) 
5b. If soup is ordered, then eventually the soup is canceled, a cup is taken out of the soup component 
or the customer has bad luck: 

[true *. (tomato || chicken || pea)] (mul. [(\cancelSoup && \take_soup && \ bad_luck)]X) 

6 . If the machine has a soup component, then a beverage can be ordered without inserting more 
money after soup was ordered: [ true *. ( insertSoup (Euro) \ \ insertSoup (Dollar)) ] (true *. (tomato \ 
chicken || pea). (\insertBev (Euro) && linsertBev (Dollar)) * .(coffee || tea || cappuccino)) true 
7a. A beverage cannot be ordered without inserting more money if a previous beverage order is still 
pending: [true*.(coffee || tea || cappuccino).(linsertBev(Dollar) && linsertBev(Euro)) * .(coffee || 
tea || cappuccino)] false 

7b. Soup cannot be ordered without inserting more money if a soup order is pending: [ true *. (tomato \ \ 
chicken || pea). (! insertSoup (Dollar) && ! insertSoup (Euro)) *. (tomato || chicken || pea)} false 
8 . In a machine with cup detection, soup can only be poured after detecting a cup: [ true *. cup_present} 
[true* .(take_soup || bad_luck). (\cup _present)*. (pour_tomato \\pour_chicken || pour_pea)] false 



